Polityka prywatności | Bayadera Poland

Privacy Policy and Cookies Policy - Bayadera Poland Sp. z o.o.

I. Information about the Data Controller

The controller of personal data is Bayadera Poland Spółka z ograniczoną odpowiedzialnością, NIP: 6772407816, with its registered office in Warsaw at ul. Jana Dantyszka 18, 02-054 Warsaw. The company is entered in the Register of Entrepreneurs of the National Court Register (KRS) under number 0000637718, maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register.

All matters concerning the processing of personal data may be addressed to the Controller by e-mail at: biuro@bayaderagroup.pl or in writing to the registered office address indicated above. The Controller has not appointed a Data Protection Officer; therefore, in matters related to privacy, contact should be made directly with the Controller.

II. Legal Basis and Compliance with Regulations

The processing of personal data is carried out in accordance with the applicable provisions of law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the relevant provisions of Polish law. The Controller takes special care to protect the privacy of persons using the Service and processes personal data solely to the extent necessary to achieve the indicated, lawful purposes. Personal data are collected for specific and clearly defined purposes, are not further processed in a manner incompatible with those purposes, and are retained no longer than is necessary to achieve those purposes.

The Controller ensures that appropriate technical and organizational measures are applied to ensure that the processing of data is carried out in accordance with the law and to protect the data against unauthorized access, loss or disclosure (detailed information on data security is provided in the further part of this Policy).

III. Scope of Data and Methods of Collection

Data provided by the user: Use of the website bayaderagroup.pl does not require creating an account or registration. The only place where personal data may be provided is through the voluntary use of forms (e.g. the contact form) or by contacting the Controller via the provided e-mail addresses or telephone numbers. In such cases, primarily identification and contact data are provided (e.g. name and surname or company name, e-mail address, telephone number – optional), as well as the content of the message and, in the case of recruitment, also the data contained in CVs and other recruitment documents.

Providing such data is voluntary, but may be necessary in order to use certain functionalities (e.g. without providing contact details it will not be possible to respond to an inquiry submitted).

Data collected automatically:

When visiting the website, the Service’s IT systems may automatically collect certain technical information about such visit. Such data include, in particular: the IP address of the device from which the connection is made, browser type and version, device type, screen resolution, operating system used, approximate location, time of the visit, the address of the visited page (URL) and the address of the previously visited page (referrer), as well as information about activity within the Service (e.g. subpages viewed, elements clicked). As a rule, these data do not allow for direct identification of a specific user and are not used for such identification. They are used for technical purposes (ensuring proper display and operation of the Service), analytical and statistical purposes (e.g. preparation of anonymous visit statistics), and security purposes (monitoring potential abuse, attacks, etc.).

Cookies: The Service uses so-called cookies and similar technologies (e.g. Local Storage). These are small text files stored on the user’s device (computer, smartphone, etc.) while browsing the website. Detailed information about the cookies used, their categories, purposes and methods of managing them is provided in Section V below – V. Cookies and Similar Technologies.

IV. Purposes, Legal Bases and Retention Periods of Processing of Personal Data

The Controller may process personal data for the following purposes, on the legal bases specified below and for the periods indicated:

Contact and handling of inquiries (contact form, e-mail, telephone): When a person uses the contact form available in the Service or contacts the Controller by e-mail or telephone, the personal data provided (e.g. name, surname/company name, e-mail address, telephone number – if provided, and other information included in the content of the message) are processed in order to identify the sender and handle the inquiry, i.e. to provide an answer to the question asked or to deal with the matter presented. Providing such data is voluntary, but necessary in order to enable return contact and provide a response. The legal basis for the processing of personal data for the purpose of handling inquiries is the legitimate interest of the Controller consisting in the possibility of responding to inquiries from persons interested in the Controller’s activity (Article 6(1)(f) GDPR). The legitimate interest in this case consists in maintaining communication with persons who themselves initiate contact. If a separate checkbox regarding the sending of marketing information is included in the contact form, the legal basis for the processing of data for the purpose of direct marketing is voluntary consent (Article 6(1)(a) GDPR). You have the right to object to the processing of personal data based on the legitimate interest of the Controller. In the event that this right is exercised, the Controller will cease processing the data for this purpose unless it demonstrates the existence of compelling legitimate grounds for the processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defense of legal claims.Data from correspondence are stored for the period necessary to handle and complete the given matter (exchange of messages), and after its completion – until consent is withdrawn or an effective objection to further processing is submitted. If no objection is raised earlier, data from correspondence may be stored for a period of up to 6 months from the end of contact – in case of renewed contact regarding the same matter or for the purpose of demonstrating the course of communication in the event of potential claims.

Verification of users’ adulthood (age gate): Due to the profile of the Controller’s activity (alcohol industry) and legal requirements, the Service is intended exclusively for adults. Upon entering the website, an age verification mechanism (the so-called age gate) is displayed, requiring confirmation that the user has reached the age of 18. The purpose of processing data in this case is to prevent access to content by minors, which constitutes the implementation of the applicable legal provisions prohibiting the advertising and promotion of alcoholic beverages among minors. The legal basis for processing is the performance of a legal obligation incumbent on the Controller (Article 6(1)(c) GDPR), resulting from the Act of 26 October 1982 on upbringing in sobriety and counteracting alcoholism, which prohibits the promotion of alcohol directed at minors. The verification process takes place to the minimum extent required – it is not necessary to provide a name or an exact date of birth, but only to confirm adulthood. Information about the completed verification may be stored in the form of a non-identifying cookie in the user’s browser, which makes it possible not to display the message again during the same session.

Retention period: data related to age verification (e.g. information stored in cookies) are stored only for the duration of the given session on the website (after closing the browser, age confirmation will be required again during the next visit) or for a short, predefined period – solely for the purpose of remembering the setting for the user’s convenience. If it is indicated (via the age gate) that a given person is not of legal age, the Service will block access to the website (this may mean redirection to another website or re-displaying the message when attempting to enter). Information about the refusal of access is not stored longer than is necessary to enforce the restriction (also usually only until the end of the current session).

Social media profiles: Official corporate profiles/pages are operated on social networking services such as Facebook, Instagram and LinkedIn (depending on current activity – information about official profiles is available on the website). When a user visits our profiles or interacts with the content published there (e.g. likes a post, adds a comment, sends a private message or follows a profile), his or her personal data that are visible in the profile on the given service (such as name and surname/username, profile picture, content of comments, profile identifier and, where applicable, also contact data provided in a message) may be processed. These data are processed exclusively within the given social networking service for the purpose of administering our corporate profile and communicating with users, i.e. responding to public comments or private messages, reacting to activity (likes, shares) and carrying out promotional activities within the given service (e.g. organizing competitions, publishing company events). The legal basis for such processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the promotion of the brand, maintaining a community around our products and communication with persons interested in our activity. With regard to data processed when visiting our Facebook or Instagram fan pages, we act as joint controllers together with Meta Platforms Ireland Ltd., pursuant to Article 26 GDPR. Joint controllership covers only aggregated statistical data (Insights) concerning user activity. Meta is responsible for the exercise of data subjects’ rights and for data security, while we use the provided statistics solely for the purpose of analyzing traffic and improving published content. Information on the principles of joint controllership is available in Meta’s documentation. We recommend that users familiarize themselves with the privacy policy of the relevant social networking service in order to learn about the principles of data processing by its controller.

Retention period: The Controller does not separately store personal data of social network users outside those services (unless, for example, with the user’s consent, contact data are obtained for another purpose – which would in each case be specified separately). Information about a user’s activity on our profiles remains available within the social networking platform in accordance with the settings and regulations of that platform – for example, a comment or message will remain visible until it is deleted by the author, by the Controller (e.g. in the event of violation of standards) or by the platform operator. The Controller may have access to aggregated statistics regarding profile visitors (e.g. demographic data, reach of posts) provided by the platform operator – these are used on the basis of the legitimate interest in improving communication and tailoring content to recipients. Statistical information does not allow for the identification of individual users.

Recruitment of employees/cooperators: If, in response to a job offer or spontaneously, application documents (CV, cover letter, etc.) are submitted to the Controller, the personal data contained therein will be processed for the purpose of conducting recruitment for the position indicated in the announcement or – in the case of spontaneous applications – for the purpose of possibly offering employment or cooperation. Personal data of candidates may include information required by labor law provisions (e.g. Article 22¹ §1 of the Polish Labour Code – including in particular name and surname, contact details, education, professional qualifications and the course of previous employment) as well as any other data provided by the candidate on his or her own initiative. Providing data is voluntary but necessary in order to participate in the recruitment process – without providing such data, the candidate’s application will not be considered.

The legal bases for the processing of candidates’ personal data include:

• Taking action at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR) – this legal basis generally covers the processing of ordinary personal data necessary to assess the candidate’s application and possibly conclude a contract. It enables the evaluation of the candidate’s qualifications and abilities prior to potential employment.

• Legal obligation incumbent on the Controller (Article 6(1)(c) GDPR in conjunction with labor law provisions) – this applies to data that the Controller is required to collect under applicable law (as indicated above, basic identification data of the candidate, and in the case of employment also additional data such as the PESEL number, residential address, documents confirming required qualifications, etc.). To the extent that the law requires the collection of specific data from a candidate, failure to provide such data may prevent the continuation of the recruitment process.

• Consent (Article 6(1)(a) GDPR) – in the case of providing in recruitment documents additional data exceeding the scope required by law (e.g. image/photograph, information on interests, references, etc.), it is assumed that the candidate has given voluntary consent to the processing of such additional information. Furthermore, if the candidate wishes his or her application documents to be used also in future recruitment processes, he or she may be asked to grant separate consent for the storage of the CV in the database for a longer period (in the absence of such consent, the documents will be deleted after completion of the current recruitment process).

• Legitimate interest of the Controller (Article 6(1)(f) GDPR) – this may constitute a legal basis for processing to the extent that the Controller must defend itself against potential legal claims or pursue its rights (e.g. in the event of a dispute with a candidate concerning the course of the recruitment process or allegations of discrimination). In such a case, the legitimate interest of the Controller consists in protection against potential allegations and in the defense of its rights.

Retention period (recruitment): Data of a candidate who has not been employed are stored for a period of 3 years from the completion of the recruitment process. The legal basis for such storage is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the possibility of defending against potential claims, in particular claims relating to discrimination in the recruitment process. Pursuant to Article 291 § 1 of the Polish Labour Code, claims arising from an employment relationship (including claims of candidates concerning violations of the principle of equal treatment in recruitment) become time-barred after 3 years, which justifies the indicated data retention period. If the candidate has given separate consent to participate in future recruitment processes and to store his or her data in the candidate database, the CV and contact details may be stored for the period indicated in such consent, but not longer than 3 years from the date of granting consent (or until withdrawal of consent – whichever occurs earlier). In the event of withdrawal of consent, the data will be deleted immediately. After the expiry of the above period (or after withdrawal of consent), application documents are permanently deleted from the Controller’s databases. Data of a candidate who is employed will be included in the employee’s personal file and will be stored in accordance with labor law provisions (for the duration of employment and the statutory archiving period after termination of employment).

Performance of legal obligations and potential claims: Regardless of the above purposes, the Controller may process certain personal data in order to fulfill its legal obligations (e.g. tax and accounting obligations in the case of transactions or issuance of financial documents; obligations arising from consumer law in the event of handling complaints regarding products) and in order to establish, exercise or defend legal claims (both on the part of the Controller and in the event of claims asserted against the Controller). In such a case, the legal basis for processing is, respectively, a legal obligation (Article 6(1)(c) GDPR) – to the extent that specific provisions require data to be stored for a defined period (e.g. financial documentation, accounting records, correspondence relating to complaints) – and the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in securing information in case it is necessary to demonstrate certain legal facts, defend against allegations or pursue its rights.

Retention period: Data processed for the above purposes are stored for periods required by law (e.g. accounting documents – 5 years from the end of the financial year in which the tax obligation arose; complaint documentation – 1 year after providing a response to the complaint, in accordance with the Act on Consumer Rights) or for the period of limitation of potential claims (in accordance with the time limits resulting from the Civil Code: as a rule 6 years, and for periodic claims and claims related to business activity – 3 years). If in a given case legal proceedings are initiated or are pending, the data may be stored for a longer period – until the final conclusion of the dispute and the execution of the final decision.

Analysis of website traffic and statistical purposes (analytical cookies): In order to better understand how users use the Service and to improve its functionality, data concerning users’ activity on the website, collected automatically using analytical tools (e.g. Google Analytics), may be processed. Such data include, in particular, information about the device and browser, IP address, unique cookie identifiers and events occurring within the Service (e.g. page views, clicks). The purpose of such processing is to create statistics and reports on the functioning of the website, optimize its operation, and detect errors and elements requiring improvement. For example, the total number of visitors, the most frequently visited subpages, and the average time spent on the website are analyzed. These data are of an aggregated and anonymous nature (the Controller does not take any actions aimed at identifying individual users). The legal basis for such processing is consent expressed through cookie settings (Article 6(1)(a) GDPR). In accordance with applicable regulations, in particular Article 399 of the Electronic Communications Law, upon the first visit to the Service a message is displayed requesting consent to the use of certain cookies – analytical tools are activated only after such consent has been obtained. The user has full control over whether to give consent to the statistical analysis of his or her visits. In the absence of consent, no cookies will be placed on the user’s device other than those necessary for the operation of the website (and, accordingly, analytical tools will not be activated). If consent is given, it may be withdrawn at any time or preferences may be changed (details are provided below).

Retention period: Analytical data collected using cookies are stored for the period specified in the settings of those cookies. In the case of Google Analytics, data on user activity are anonymized and aggregated into statistical form; analytical identifiers (e.g. the _ga cookie) may be stored on the user’s device usually for up to 14 months from the last activity or in accordance with Google’s current policy. Detailed information on retention periods can be found in the documentation of analytical tool providers – for example, Google publishes such information in its privacy policy (a link is provided in the cookies section). Server logs (including, inter alia, IP address, date and time of connection, and error information) are processed for the purpose of ensuring the security of the Service, detecting abuse, monitoring system operation and handling technical incidents.

The legal basis for such processing is the legitimate interest of the Controller consisting in maintaining the security and proper functioning of the Service (Article 6(1)(f) GDPR).

Data contained in logs are stored for a period of up to 30 days, unless longer storage is necessary to establish, exercise or defend legal claims or to handle a security incident. After the expiry of the indicated periods, statistical data may continue to be used solely in aggregated form (deprived of features enabling the identification of specific users) for analytical and comparative purposes over a longer period.

Is the provision of data mandatory? Providing personal data for the purposes indicated above is, as a rule, voluntary; however, in practice it is necessary in order to achieve a given processing purpose. This means that failure to provide the required data will prevent the achievement of a specific purpose, for example:

• failure to provide contact details will make it impossible to respond to an inquiry;

• failure to confirm adulthood will make it impossible to use the Service (minors may not browse the content of the website due to legal requirements);

• failure to provide data in the recruitment process will result in the candidate’s application not being considered;

• failure to accept cookies (other than those necessary) will result in no data being collected about the user’s activity on the website for analytical purposes (which does not affect the basic use of the Service).

In certain cases, the provision of data may result from a statutory requirement – for example, if a contract is concluded, it will be necessary to obtain certain data required by law (e.g. data for issuing an invoice, employee data in the case of employment). In such situations, the data subject will be separately informed about the mandatory nature of providing specific information and the consequences of failure to provide such data. Apart from these situations, providing data to the Controller is voluntary; however – as explained above – it is necessary in order to use certain functionalities or services.

V. Cookies and Similar Technologies

Our website, like most websites, uses cookies and other similar technologies (such as Local Storage, Facebook Pixel and script tags) in order to ensure its proper functioning and to improve the offered functionalities. Below we explain what types of cookies are used, for what purposes, and what options are available for managing them.

1. What are cookies?

Cookies are small text files stored on a device by websites that are visited. They contain various information that may be read during subsequent visits to the same website. Cookies usually assign the user’s browser a unique identifier, which allows the website to “remember” a given visit or preferences (e.g. the selected language version of the website). Within the Service, we also use similar browser-side solutions such as Local Storage (persistent browser memory) – for simplicity, all these technologies are collectively referred to as “cookies”.

2. What types of cookies do we use?

The following categories of cookies may be used in the Service:

• Necessary (technical) cookies: These are cookies necessary for the proper functioning of the website and for using its basic functions. They enable, among other things, navigation, correct display of content and the operation of key mechanisms (such as age verification or the functioning of forms). Without these cookies, the Service might not function properly. This category includes, for example, cookies that remember the confirmation of adulthood (so that the age gate does not appear on every subpage) as well as cookies used for load balancing on the server or for saving interface preferences. Technical cookies are always active, because without them the Controller would not be able to provide electronic services actually requested by the user (such as displaying the website or sending a message via a form). The legal basis for the use of necessary cookies is the legitimate interest of the Controller in ensuring the proper functioning of the Service and the provision of services requested by users (Article 6(1)(f) GDPR), as well as Article 399 of the Electronic Communications Law.

• Functional cookies: These cookies are not absolutely necessary for the operation of the website, but they facilitate its use by providing certain extended functionalities. They allow, for example, the storage of user preferences and settings (such as the selected language version of the website, time zone or font size), so that these choices do not have to be made again during subsequent visits. Thanks to functional cookies, the use of the Service may be better tailored to individual needs. Since the use of functional cookies involves storing or reading information on the user’s device, their use requires the user’s prior consent, in accordance with Article 399 of the Electronic Communications Law and Article 6(1)(a) GDPR. Functional cookies are activated only when the user gives consent to them via the cookie banner or preference settings. Withdrawal of consent results in disabling these functionalities without affecting the basic operation of the Service.

• Analytical and statistical cookies: These cookies make it possible to collect information about how users interact with the Service – which subpages they visit, how much time they spend on them, what they click on, and from which devices or geographical regions visits originate, etc. Such data help to assess the performance of the website, identify areas requiring improvement and better understand visitors’ preferences. For this purpose, we use tools of external providers, such as Google Analytics (a web analytics service provided by Google Ireland Ltd.). Google Analytics uses its own cookies (including, inter alia, _ga, _gid and _gat) to distinguish users and generate statistics regarding website traffic. Information generated by these cookies (including, in particular, data concerning the IP address and activity on the website) is anonymous for us in the sense that we do not assign it to specific individuals – it is used solely for aggregated analyses. Note: analytical cookies are not activated without the user’s consent. Upon the first visit, a request for consent to their use is displayed (details are provided below in point 4). The legal basis for the use of analytical cookies is consent (Article 6(1)(a) GDPR).

• Marketing (advertising) cookies of third parties: Our Service does not display external advertisements and currently does not use its own marketing cookies for profiling users for advertising purposes. However, it is possible to use marketing tools of third parties that involve the use of their cookies – an example is Facebook Pixel (Meta Pixel), which integrates the website with the Meta platform (Facebook/Instagram). Such a tool makes it possible to direct personalized advertisements of our products to visitors of the Service on Facebook/Instagram (so-called remarketing) and to measure the effectiveness of such advertisements. Facebook Pixel may store cookies on the user’s device such as _fbp, usida, datr, etc. It should be emphasized that at present we do not conduct active remarketing campaigns, and any potential use of third-party marketing cookies will in each case be communicated and covered by a consent mechanism (analogously to analytical cookies). The legal basis for the use of such cookies would be the user’s consent (Article 6(1)(a) GDPR). At present, if the website contains content originating from third-party services (e.g. embedded YouTube videos, Google Maps, Facebook “Like” buttons, etc.), such services may also store their own cookies in order to provide their services properly. Such cookies are subject to the privacy policies of those external providers – for example YouTube/Google or Meta (Facebook). The Controller will make every effort to inform users about the addition of such elements on the website.

3. Cookie retention periods:

• Cookie confirming adulthood: until the end of the current session (after closing the browser, age verification will be required again).

• Preference cookies (e.g. language selection): up to 1 year or until cookies are deleted.

• Google Analytics (_ga): 14 months from the last use (default analytical data retention period; may change in accordance with Google’s policy).

• Google Analytics (_gid): 24 hours (a cookie used to distinguish consecutive visits within a short time period).

• Google Analytics (_gat): 1 minute (a cookie used to limit the number of requests).

• Facebook Pixel (_fbp): 3 months.

• Facebook Pixel (usida): until the end of the browser session.

(The above values may change depending on the settings of the providers; current information is available on the Google and Facebook help pages – links are provided in point 5 below.)

4. Consent mechanism – cookie banner:

In accordance with legal requirements, upon the first visit to the Service a clear message (banner) concerning cookies is displayed, informing the user about the purpose of storing and accessing cookies on the user’s device and enabling the user to give or refuse consent. The user has the possibility to manage cookie settings – he or she may agree to all categories of optional cookies (the “Accept” button), reject all cookies other than those necessary (“Reject non-essential”), or customize preferences by selecting individual categories (e.g. only analytical cookies, without marketing cookies). Until consent is given, no non-essential cookies will be activated – only technical cookies that are absolutely necessary for the operation of the website will be placed on the user’s device. The decision regarding consent to cookies may also be postponed – the mere fact of continuing to browse the Service without clicking any option is not treated as consent (by default, non-essential cookies remain disabled until the user makes a choice). The cookie banner may reappear after a certain period of time or when conditions change (e.g. when a new functionality requiring consent is added) – however, we ensure that this message will not be intrusive.

5. Managing cookies – changing settings and withdrawing consent:

If the user has given consent to the use of optional cookies, he or she may withdraw such consent at any time or change preferences. For this purpose, the following options may be used:

• Cookie settings widget: by clicking on our cookie settings widget/icon (if available in the Service, e.g. the “Cookie settings” or “Change consent” link in the website footer). This allows the user to reopen the consent management panel and modify previously granted consents.

• Web browser settings: most browsers allow users to delete stored cookies and block new cookies (globally for all websites or for selected websites). It should be noted, however, that disabling all cookies (including necessary cookies) may cause problems with the functioning of the Service and may even make it impossible to browse it. Instructions on managing cookie settings can be found in the documentation of the respective browser (e.g. Chrome, Firefox, Edge, Safari).

• Opt-out tools: by using available advertising consent management platforms, such as Your Online Choices (www.youronlinechoices.com/pl/), or solutions provided by specific service providers (e.g. Google Analytics Opt-out– a browser add-on that blocks Google Analytics: tools.google.com/dlpage/gaoptout).

Withdrawal of consent to cookies does not affect the lawfulness of earlier processing carried out on the basis of such consent, but will result in the cessation of further data collection by the disabled tools. It should be remembered that in the case of certain third-party cookies (e.g. cookies of social networking services), complete deletion of data related to a visit may require additional actions – for example clearing the browser cache, logging into the account on a given service and changing privacy settings there, etc. In the event of any questions or problems related to cookies, users are encouraged to contact the Controller.

6. Third-party cookies:

By using cookies in our Service, we cooperate with external service providers who may place their own cookies on the user’s device (so-called third-party cookies). This applies mainly to the aforementioned Google Analytics service (provider: Google Ireland Ltd., and potentially also Google LLC in the USA) and to possible cookies of social networking services (if their plugins or pixels appear on the website). With regard to data collected by Google Analytics, Google acts as a data processor on behalf of the Controller and does not use the collected information for its own marketing purposes. Nevertheless, there may be situations in which data collected via cookies are transferred to Google’s servers in the USA (detailed information on this process is provided in Section VII. Transfer of data outside the EEA below). Google Analytics 4 does not record or store users’ IP addresses. The system processes only technical data necessary to generate aggregated statistics concerning the manner of using the Service, without the possibility of identifying specific individuals. The tool is activated only after the user has given consent to analytical cookies. As regards cookies of services such as Facebook (Meta), they are used only if the user has an account with the given service and has consented to linking off-platform activity with advertisements (in accordance with Facebook’s privacy settings). The Controller does not directly obtain personal data from these cookies – it receives only aggregated statistical reports. However, it should be remembered that the operators of these platforms may use information about users’ activity in accordance with their own privacy policies (over which the Controller has no control).

7. Detailed information from providers:

For those interested, below we provide links to websites where more information can be found about the external services used by us and their cookie policies:

• Google Privacy Policy – https://policies.google.com/privacy

(includes, inter alia, information on how Google uses data in services such as Google Analytics)

• Google Analytics cookie usage – https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

• Meta (Facebook) Privacy Policy – https://www.facebook.com/privacy/policy

(contains information on data collected by Meta, including through pixels and social plugins)

• Facebook cookies (Help Center) – https://www.facebook.com/policy/cookies/

(description of individual cookies used by Meta services and their purposes)

We hope that the above information helps to understand how cookies operate in our Service and how they can be managed. Should you have any additional questions, we remain at your disposal.

VI. Recipients of personal data

Personal data are not sold or otherwise made available to third parties for their own marketing or commercial purposes. However, in certain situations they may be entrusted or disclosed to trusted entities whose services the Controller uses or to whom the Controller is legally obliged to transfer such data.

The categories of recipients of personal data include:

Service providers and business partners acting on behalf of the Controller: These include, inter alia, entities providing technical support for the website and the Controller’s IT systems, such as a hosting company providing server space, IT companies responsible for the maintenance and development of the Service, providers of e-mail services, cloud solution providers, and other subcontractors without whose support the provision of services would be difficult. Such entities process data on the basis of appropriate data processing agreements and solely in accordance with the Controller’s instructions, while maintaining confidentiality. For example, a hosting provider may have access to data to the extent necessary for storing them on a server, and an e-mail service provider – to the extent necessary for sending electronic correspondence. All such providers have been carefully selected in terms of ensuring an appropriate level of data security.

Providers of analytical and marketing tools: As described in the cookies section, the Controller uses the services of companies such as Google (Google Analytics) and, where applicable, Meta (Facebook Pixel). These companies may receive certain information about users’ activity in the Service through their integrated codes and cookies (e.g. Google may process information about the user’s device and behavior on the website in order to generate aggregated statistics). In the context of GDPR, the indicated providers act as data processors (e.g. Google Ireland Ltd. with regard to analytical data) or as joint controllers (e.g. Meta Platforms Ireland Ltd. with regard to statistics concerning the use of the corporate Facebook fan page). The Controller has concluded with these entities the agreements required by law (e.g. a data processing addendum for Google Analytics; the so-called controller addendum for Meta statistics) in order to ensure appropriate protection of users’ privacy. Data disclosed to these entities do not contain information enabling the direct identification of a person (such as name, surname or e-mail address) – only technical data or aggregated statistical sets are transferred.

Public authorities and entities authorized by law: The Controller may be obliged to disclose personal data to state authorities or other entities exercising public authority, upon their legitimate request and on the basis of an appropriate legal ground. This applies in particular to judicial authorities (courts, public prosecutors), the Police and other law enforcement bodies, supervisory authorities (e.g. the President of the Personal Data Protection Office), and administrative authorities (e.g. tax offices, trade inspection authorities) – to the extent necessary to fulfill a legal obligation or to respond to a legally binding request. Furthermore, if necessary to protect the Controller’s rights (e.g. to pursue claims before a court), data may be transferred to necessary recipients such as law firms, debt collection agencies or insurers – always within the limits of applicable law.

In each case of disclosure or entrustment of data to other entities, the Controller ensures that only the minimum scope of information necessary to achieve a given purpose is transferred, and that such entities are obliged to maintain confidentiality and to provide appropriate data security measures.

VII. Transfer of data outside the EEA

We store personal data mainly within the territory of the European Economic Area (EEA). Nevertheless, in connection with the use of certain external services, data may be transferred outside the EEA. This applies in particular to situations where a service provider has its registered office or infrastructure in a third country. For example:

• Google LLC (USA): Data collected through Google Analytics may be transferred to Google servers located in the United States (despite the fact that, in our case, the service is administered by a company based in Ireland, Google – as a global company – may store or process data also in the USA). Google participates in the EU–U.S. Data Privacy Framework (DPF) and, moreover, Standard Contractual Clauses (SCC) approved by the European Commission have been concluded with Google LLC, which are intended to ensure an adequate level of protection of the transferred data.

• Meta/Facebook (USA): If the Facebook Pixel or other integrations with Facebook/Instagram services are used on the website, data concerning users’ activity may be transferred to Meta Platforms, Inc., with its registered office in the USA. Meta has also joined the EU–U.S. Data Privacy Framework and applies Standard Contractual Clauses in agreements with entities from the EU, which ensures safeguards for data protection comparable to the standards applicable in the EU.

Apart from the cases described above, the Controller makes every effort not to transfer personal data to third countries or international organizations. However, if such a transfer proves necessary (e.g. in connection with a one-time provision of services by an entity outside the EEA), the safeguards required by law will always be ensured – for example, the transfer will be based on a decision of the European Commission confirming an adequate level of protection (if the destination country is included on the list of countries providing an adequate level of data protection) or on the aforementioned Standard Contractual Clauses obliging the data recipient to comply with data protection standards consistent with the GDPR. Where possible, additional security measures will also be implemented, such as encryption of data prior to transmission and minimization of the scope of transferred information to the necessary minimum.

The data subject has the right to obtain a copy of the data transferred to a third country and information about the safeguards applied – for this purpose, the data subject should contact the Controller (contact details are provided in Section I).

VIII. Rights of data subjects

In connection with the processing of personal data, data subjects are entitled to the following rights:

Right of access to data: The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, the right of access to such data and to information, inter alia, about the purposes, legal bases and scope of processing, the recipients of the data, the planned period of storage (or the criteria used to determine that period), as well as the rights to which the data subject is entitled. At the request of the data subject, the Controller shall provide a copy of the personal data undergoing processing (the first copy shall be provided free of charge; for any further copies, the Controller may charge a reasonable administrative fee resulting from administrative costs).

Right to rectification of data: The data subject has the right to request the rectification (correction) of personal data that are inaccurate and the completion of incomplete personal data. If it is established, for example, that the Controller has received or recorded an incorrect e-mail address or that there is a typographical error in the data, the Controller should be informed – such information will be corrected without undue delay.

Right to erasure of data (“right to be forgotten”): Every person has the right to request the erasure of all or part of his or her personal data. This right may be exercised in particular where:

• personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

• the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;

• an effective objection to the processing of the data has been raised;

• the personal data have been processed unlawfully;

• the personal data must be erased in order to comply with a legal obligation arising from provisions of law.

It should be remembered that the right to erasure is not absolute – in certain situations the Controller may not be able to comply with a request for erasure of data. This applies in cases where processing is necessary to comply with a legal obligation requiring further processing (e.g. resulting from regulations on archiving financial documentation) or to establish, exercise or defend legal claims (e.g. where court proceedings are still pending), as well as in other situations provided for in Article 17(3) GDPR. In response to a request for erasure of data, the Controller will inform the data subject of any reasons why certain data must be retained despite the submitted request for their deletion.

Right to restriction of processing: The data subject has the right to request that the Controller restrict the processing of his or her personal data (which means that, as a rule, the Controller will only be able to store such data and all other operations will be suspended) in the following cases:

• where the accuracy of the personal data is contested – for a period enabling the Controller to verify the accuracy of the data;

• where the processing is unlawful and the data subject opposes the erasure of the data, requesting instead the restriction of their use;

• where the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

• where the data subject has objected to processing – pending the verification whether the legitimate grounds on the part of the Controller override the grounds of the objection.

If processing has been restricted, the Controller shall, as a rule, only store such data or use them for the establishment, exercise or defense of legal claims, for the protection of the rights of another person, or for important reasons of public interest – apart from these purposes, processing will remain suspended. The Controller shall inform the data subject before lifting the restriction and taking further actions with regard to such data.

Right to data portability: The data subject has the right to receive from the Controller the personal data concerning him or her, which he or she has previously provided to the Controller, in a structured, commonly used and machine-readable format (e.g. CSV, JSON), and has the right to transmit those data to another controller. This applies in situations where personal data are processed on the basis of consent or a contract with the data subject and the processing is carried out by automated means (in IT systems). Where technically feasible, the data subject may request that the Controller transmit such data directly to another controller indicated by the data subject – provided that this is possible to perform (it should be remembered that the right to data portability applies only to data processed in digital form).

Right to object: The data subject has the right to object at any time – on grounds relating to his or her particular situation – to the processing of personal data concerning him or her where such processing is based on the legitimate interest of the Controller (Article 6(1)(f) GDPR). In such a case, upon receiving the objection, the Controller will reassess whether – due to the particular situation of the person raising the objection – his or her interests, rights and freedoms override the interests pursued by the Controller. If it is determined that the rights of the data subject prevail, the processing covered by the objection will be suspended.

The data subject may also object to the processing of personal data for direct marketing purposes – in such a case, the processing of such data will be discontinued immediately, without the need to carry out any additional assessment.

If the objection concerns the use of data for analytical purposes (e.g. analytical cookies), the mechanisms described in Section V above may be used (e.g. withdrawing consent to cookies, which in practice will be equivalent to submitting an objection to further statistical analysis of data).

Right to withdraw consent: If the processing of personal data is based on consent, the data subject has the right to withdraw the granted consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal – until the moment of withdrawal, the processing is considered lawful. After consent has been withdrawn, the Controller will cease further processing of the data for the purpose for which the consent was granted. Consent may be withdrawn as easily as it was given – for example, by sending an e-mail message to the Controller’s contact address informing about the withdrawal of consent (the content of the message should indicate which consent is being withdrawn).

In the case of consent to cookies, it may be withdrawn by changing the settings in accordance with the description in the cookies section. If consent was granted by ticking an appropriate box (checkbox) in a form, it may be withdrawn by contacting the Controller again and informing him of the decision.

Right to lodge a complaint: If a data subject considers that the processing of personal data infringes the provisions of the GDPR or otherwise violates his or her rights, he or she has the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (UODO). A complaint may be submitted, inter alia, in writing to the address: ul. Stawki 2, 00-193 Warsaw, or via the electronic submission box of the UODO. Detailed information on how to lodge a complaint is available on the authority’s website: https://uodo.gov.pl/pl/p/skargi. Naturally, we recommend first contacting the Controller directly – we will make every effort to clarify any doubts and resolve the matter amicably.

In order to make use of the above rights, the data subject should contact the Controller (contact details are provided in Section I above). Please note that before fulfilling a request, the Controller may ask to verify the identity of the person submitting the request (e.g. by replying from the e-mail address used in previous correspondence or by providing additional identifying information).

The exercise of certain rights may be limited by applicable legal provisions – in such a case, the Controller will explain the specific legal basis for any refusal and will inform whether (and when) it will be possible to comply with the request in the future. The Controller makes every effort to enable data subjects to fully exercise their rights.

IX. Automated Decision-Making and Profiling

The Controller informs that personal data are not subject to automated decision-making processes, including profiling, which would produce legal effects concerning data subjects or similarly significantly affect them. This means that no systems are used which independently – without human involvement – analyze data and, on this basis, for example automatically refuse access to a service, grant discounts or individually shape offers. Any statistical analyses carried out by the Controller (e.g. segmentation of recipients for marketing purposes) do not constitute a form of individual decision-making with regard to specific persons and do not significantly affect them – they serve solely to improve the Controller’s offer and activities internally.

X. Data Security

The Controller applies appropriate technical and organizational measures to ensure the protection of processed personal data. In particular, data are protected against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. For this purpose, the following solutions have been implemented, inter alia:

• Encryption of data transmission: The website uses an SSL/TLS certificate, which means that communication between the user’s browser and the Controller’s server is encrypted (a closed padlock icon is visible in the browser’s address bar). As a result, data transmitted via forms are sent to us in a secure manner and cannot be intercepted by unauthorized persons during transmission over the Internet.

• Access control: Access to personal data is granted only to authorized employees and collaborators of the Controller who have been trained in data protection and are obliged to maintain confidentiality. The Controller’s IT systems are protected against access by unauthorized persons through authentication mechanisms (passwords, access keys) and appropriate configuration of access rights.

• Data minimization: The Controller collects and processes only such data that are genuinely necessary to achieve a specific purpose. We do not collect information “in advance” that would prove unnecessary – thereby reducing the risk of data leakage or improper use of excessive data.

• Server security (firewall): The server on which the Service operates is protected against network attacks by means of a firewall and other infrastructure-level security measures. Server software is regularly updated, and potential threats are continuously monitored.

• Backups: Regular backup copies of data are created, which enables data restoration in the event of a system failure or a security incident. Access to backup copies is strictly limited to authorized persons.

• Monitoring and security testing: We continuously monitor system operations for suspicious activity. We also carry out periodic security tests and audits (internal or external) in order to identify potential weaknesses and improve our security measures.

It should be borne in mind that no method of data transmission over the Internet and no method of electronic data storage guarantees one hundred percent security. Despite applying high standards of protection, the Controller cannot provide an absolute guarantee of the security of transmitted data. We recommend that each user also takes care of his or her own security – for example, by not disclosing logins or passwords to e-mail accounts from which messages are sent to us, by using up-to-date antivirus software and a firewall on their devices, and by logging out after finishing the use of services (especially on public computers).

In the event of a personal data breach (e.g. a data leak or unauthorized access to the system) resulting in a high risk to the rights of data subjects, the Controller shall – in accordance with legal requirements – inform the affected persons of such an incident.

XI. Final Provisions and Amendments to the Privacy Policy

This Privacy Policy enters into force on 9 November 2025 and from that date applies to all visits to the Service and activities undertaken within it. In matters not regulated by this Privacy Policy, the generally applicable provisions of law shall apply, including in particular the GDPR and the relevant national laws on the protection of personal data.

The Privacy Policy may be subject to updates or amendments in the future. This may result, inter alia, from changes in applicable legal provisions, guidelines of supervisory authorities, technological development of the Service or expansion of the scope of the Controller’s services. The Controller reserves the right to amend the content of the Privacy Policy if such a need arises. Any changes will be published on this website in the form of an updated version of the Privacy Policy. The date of the last update (indicated below) means the date from which the current version applies. We recommend regularly reviewing the content of the Privacy Policy in order to remain up to date with information on how personal data are protected.

In the event of introducing significant changes (e.g. changes to the purposes of processing, legal bases, categories of data recipients, etc.), the Controller may additionally inform users in a more direct manner – for example by placing a highlighted notice on the main page of the Service.

If any questions, comments or doubts arise regarding this Privacy Policy or privacy protection practices applied by the Controller in general, please contact the Controller (contact details are provided in Section I above). We are open to dialogue and will be happy to clarify any issues related to the processing of personal data.